Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2017-7525

Description

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

POC

Reference

- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

- https://access.redhat.com/errata/RHSA-2017:1835

- https://www.oracle.com/security-alerts/cpuoct2020.html

- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Github

- https://github.com/0xT11/CVE-POC

- https://github.com/20142995/nuclei-templates

- https://github.com/ARPSyndicate/cvemon

- https://github.com/AdeliaNitzsche/Java-Deserialization-Cheat-Sheet

- https://github.com/BassinD/jackson-RCE

- https://github.com/BrittanyKuhn/javascript-tutorial

- https://github.com/CatalanCabbage/king-of-pop

- https://github.com/CrackerCat/myhktools

- https://github.com/Dannners/jackson-deserialization-2017-7525

- https://github.com/Drun1baby/JavaSecurityLearning

- https://github.com/GhostTroops/myhktools

- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet

- https://github.com/GrrrDog/ZeroNights-WebVillage-2017

- https://github.com/Ingenuity-Fainting-Goats/CVE-2017-7525-Jackson-Deserialization-Lab

- https://github.com/Jake-Schoellkopf/Insecure-Java-Deserialization

- https://github.com/JavanXD/Demo-Exploit-Jackson-RCE

- https://github.com/Live-Hack-CVE/CVE-2017-15095

- https://github.com/Nazicc/S2-055

- https://github.com/NetW0rK1le3r/awesome-hacking-lists

- https://github.com/PalindromeLabs/Java-Deserialization-CVEs

- https://github.com/Pear1y/Vuln-Env

- https://github.com/Pear1y/VulnEnv

- https://github.com/SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095

- https://github.com/SexyBeast233/SecBooks

- https://github.com/ShiftLeftSecurity/HelloShiftLeft-Scala

- https://github.com/SugarP1g/LearningSecurity

- https://github.com/Threekiii/Awesome-Exploit

- https://github.com/Threekiii/Awesome-POC

- https://github.com/Threekiii/Vulhub-Reproduce

- https://github.com/XiaomingX/awesome-poc-for-red-team

- https://github.com/atul-joshi-aera/jackson-2017-7525

- https://github.com/bakery312/Vulhub-Reproduce

- https://github.com/boonyashka/scala

- https://github.com/brunsu/woodswiki

- https://github.com/cedelasen/htb-time

- https://github.com/clj-holmes/clj-watson

- https://github.com/conikeec/helloshiftleftplay

- https://github.com/cyb3r-w0lf/nuclei-template-collection

- https://github.com/do0dl3/myhktools

- https://github.com/dotanuki-labs/android-oss-cves-research

- https://github.com/g1san/Agents-for-Vulnerable-Dockers-and-related-Benchmarks

- https://github.com/galimba/Jackson-deserialization-PoC

- https://github.com/hdgittest/HelloShiftLeft-Scala

- https://github.com/hdgittest/HelloshiftLeft_scala

- https://github.com/hectorgie/PoC-in-GitHub

- https://github.com/hktalent/bug-bounty

- https://github.com/hktalent/myhktools

- https://github.com/ilmari666/cybsec

- https://github.com/ilmila/J2EEScan

- https://github.com/iqrok/myhktools

- https://github.com/irsl/jackson-rce-via-spel

- https://github.com/jaroslawZawila/vulnerable-play

- https://github.com/jault3/jackson-databind-exploit

- https://github.com/killvxk/Awesome-Exploit

- https://github.com/klarna/kco_rest_java

- https://github.com/klausware/Java-Deserialization-Cheat-Sheet

- https://github.com/lnick2023/nicenice

- https://github.com/martinzhou2015/writeups

- https://github.com/maxbitcoin/Jackson-CVE-2017-17485

- https://github.com/mishmashclone/GrrrDog-Java-Deserialization-Cheat-Sheet

- https://github.com/mymortal/expcode

- https://github.com/nekuroporisu/android-oss-cves-research

- https://github.com/noegythnibin/links

- https://github.com/ongamse/Scala

- https://github.com/qazbnm456/awesome-cve-poc

- https://github.com/readloud/Awesome-Stars

- https://github.com/ronoski/j2ee-rscan

- https://github.com/rootsecurity/Jackson-CVE-2017-17485

- https://github.com/samuelabdelsayed/insecure-app

- https://github.com/seal-community/patches

- https://github.com/softrams/cve-risk-scores

- https://github.com/taielab/awesome-hacking-lists

- https://github.com/touchmycrazyredhat/myhktools

- https://github.com/trhacknon/myhktools

- https://github.com/wahyuhadi/spel.xml

- https://github.com/woods-sega/woodswiki

- https://github.com/xbl2022/awesome-hacking-lists

- https://github.com/xbl3/awesome-cve-poc_qazbnm456

- https://github.com/yahoo/cubed

- https://github.com/zema1/oracle-vuln-crawler